Criminals' ATM trick: Reprogram, swipe cash

Share with others:

It can be surprisingly easy to rob an ATM, no violence necessary, as two thieves demonstrated last week in Derry Borough.

On June 19 and 20, a man and a woman reprogrammed the automated teller machine at Mastrorocco's Market so that it thought it was dispensing dollar bills when it was actually spewing twenties. The theft netted $1,540 over the course of two days.

It was an elegant heist as such things go. Security cameras showed that the robbers didn't have to do anything more than use the keypad to reprogram the device. If anyone had been watching them, it would have looked like they were just taking an especially long time in cashing out their paychecks. The pair had not been caught yesterday.

The theft was similar to one that made the news in the fall, when an ATM was robbed at a Virginia Beach, Va., gas station. That case was notable because bloggers realized that the ATM manual was available online; it listed default administrative passwords that many of the ATM owners presumably had not changed.

Although Tranax Technologies, the manufacturer of that ATM, promised a quick software fix on all of its new models, upgrading already-manufactured models was left to the initiative of the owners.

Since 75,000 Tranax ATMs were then in service, there are some that are presumably still vulnerable.

What's more, a Google search yesterday turned up a manual, administrative passwords and all, to the Tranax Mini-Bank 1500, the company's most popular model.

The ATM at Mastrorocco's Market was manufactured by Cardtronics, according to the owner, Vince Mastrorocco.

Cardtronics chief operating officer Mike Clinard said in a statement that such a theft was possible, but he emphasized that it was Mr. Mastrorocco's responsibility as the ATM owner to secure the device. Mr. Clinard also said that customers' accounts were not compromised by the theft.

Mr. Mastrorocco, on the other hand, said that he had never been informed of the existence of the administrative password that was presumably exploited by the thieves.

It's one thing to reprogram an ATM. It's another to steal the entire unit, neon sign and all.

Last summer, there was a rash of thefts in southwestern Pennsylvania in which two burly men would lasso an ATM with steel chains and secure it to the back of their pickup truck. They'd pull away, ripping the machine from its moorings, heave it into the back of the truck, and make their getaway.

ATM and Debit News, a trade publication, mentions a similar caper this winter in Arizona, in which thieves used construction equipment to bash Bank of America and Wells Fargo ATMs out of walls.

Thieves don't always target the money contained within the machines themselves. Sometimes they go for the money in the accounts of the ATM users.

Jon Piha, a professor of computer engineering at Carnegie Mellon University who has worked for ATM manufacturers, said that one method that he found particularly clever was to put an external device on the ATM that mimicked the card slot of the regular machine.

The device would read the unsuspecting user's card and produce an error message. The unsuspecting card owner would walk away without ever realizing that his or her account had been compromised. Thieves would return to retrieve the device after it was full of account numbers.

Just as some thieves steal card information, others use stolen cards to rip off machines. The Derry Borough pair used a stolen credit card to request $20 from the machine. After they had reprogrammed it, it dispensed 20 $20 bills -- a heist of $400. The pair did it two more times on the 19th until the ATM ran out of money, according Mr. Mastrorocco, the owner. They repeated the tactic the next day.

The store manager saw on the daily transaction report that something was wrong, because it displayed an odd dollar amount rather than a round multiple of 20, according to Mr. Mastrorocco.

When the store manager called Cardtronics to check on the problem, the company told him he was reading the report at the wrong time of day. So he changed the time he printed the reports, which seemed to fix the problem.

That's because the robbers didn't return, and they had reset the machine so that it functioned correctly after they left.

The theft was only reported on Tuesday, when Mr. Mastrorocco returned from vacation and noticed the discrepancy between what was in his safe and what the ATM claimed it had dispensed.